I have logs like
msg="some string here method=aaaa" method=bbbb
splunk may extract method=aaaa out of the quoted string, how can I avoid this?
Thanks
So far as I.know, you cannot. Your only option is to set KV_MODE=none
in props.conf
and then do the field extractions yourself and build them explicitly so each does the corrrect thing in context.
I know this is old, but I figured out a workaround for this. If you have control over the inputs, change it to be like this:
msg="some string here method~aaaa" method=bbbb
And then in your search, change it back, e.g.
| eval msg = replace(msg, "~", "\"")
So far as I.know, you cannot. Your only option is to set KV_MODE=none
in props.conf
and then do the field extractions yourself and build them explicitly so each does the corrrect thing in context.
Thanks.
THe none KV_MODE solved my problem
props.conf
KV_MODE = none
REPORT-field_extract = field_extract
transforms.conf
[field_extract]
DELIMS = " ", "="